Salesloft Authentication Token Breach Exposes Corporate Vulnerabilities
Recent developments in cybersecurity have raised alarms among businesses utilizing Salesloft, a platform that streamlines customer interactions into actionable leads for Salesforce. A significant breach involving the theft of authentication tokens from Salesloft has prompted fast action from numerous companies as they scramble to invalidate compromised credentials before malicious actors can exploit them. Google’s cybersecurity team has now indicated that the impact extends well beyond Salesforce, revealing that the attackers accessed valid tokens for a multitude of integrated online services, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.
Salesloft made a public disclosure on August 20, acknowledging a security issue related to the Drift application, an AI chatbot integral to many corporate operations. The disclosure urged clients to re-authenticate their connections between Drift and Salesforce applications. However, at that time, it did not clarify that these tokens had already been compromised.
By August 26, the Google Threat Intelligence Group (GTIG) revealed that a group of unidentified hackers tracked as UNC6395 had managed to leverage the stolen authentication tokens to extract vast amounts of data from various Salesforce instances. Google documented that the unauthorized data access had commenced as early as August 8, 2025, and persisted through at least August 18, stating that this breach did not exploit any inherent vulnerabilities within Salesforce’s infrastructure.
The attackers have reportedly been combing through the extensive data gathered, searching for credential materials such as Amazon Web Services (AWS) keys, VPN credentials, and access tokens for cloud storage providers like Snowflake. The GTIG articulated the potential ramifications, noting that if successful in their endeavors, these credentials could allow the attackers to further infiltrate victim and partner environments.
On August 28, the GTIG updated its advisory, disclosing that the attackers had accessed a limited number of Google Workspace accounts specially configured for integration with Salesloft. They warned organizations to immediately invalidate all tokens connected to their Salesloft integrations, irrespective of the third-party service being utilized. Given the GTIG’s findings of extensive data exfiltration associated with this campaign, businesses using Salesloft are advised to treat their data as compromised and to initiate immediate remediation measures.
In response to the unfolding situation, Salesforce took swift action on August 28, severing the Drift application’s integration with its platform as well as its productivity tools, including Slack and Pardot. This incident has emerged amidst a broader social engineering campaign that involved voice phishing tactics, effectively convincing targets to link a malignant application to their Salesforce portals. This campaign has already led to significant data breaches affecting high-profile companies like Adidas and Qantas.
Amid these developments, Google also revealed that one of its corporate Salesforce instances had been compromised by a similar group of attackers, identified as UNC6040. This group, which has been linked to extortion attempts, has operated under the guise of the notorious ShinyHunters, known for their data leaks on cybercrime forums.
Notably, while some claims of responsibility for the Salesloft breach have surfaced from various Telegram channels, Google’s threat analysts, including principal threat analyst Austin Larsen, stress that there is currently no robust evidence connecting this incident to ShinyHunters or any other recognized groups. The involvement of these groups highlights a potential intersection between different cybercriminal operations, particularly concerning the tools and techniques employed.
The term “authorization sprawl,” coined by cybersecurity experts, encapsulates a core issue contributing to the success of social engineering attacks. This phenomenon occurs because attackers take advantage of legitimate user access tokens, allowing them to navigate seamlessly between various corporate systems without raising immediate suspicion.
As investigations progress, Salesloft has engaged Mandiant, a subsidiary of Google Cloud, to probe the origins of the breach. Mandiant has committed to uncovering the underlying causes and will continue to share findings as they become available. The unfolding saga underscores the pressing need for businesses to fortify their cybersecurity postures, particularly regarding authentication processes and third-party integrations.
In terms of the tactics and techniques likely utilized in this breach, referencing the MITRE ATT&CK framework provides context. Initial access may have been gained through phishing or compromised credentials, followed by persistence tactics to maintain access long enough to conduct extensive data exfiltration. The attackers likely employed privilege escalation methods to amplify their access, alongside lateral movement to exploit connected services such as Salesforce.
This incident stands as a pertinent reminder that robust cybersecurity measures are essential in an increasingly interconnected digital landscape, particularly in safeguarding sensitive corporate data against evolving threats.
